Home Transitions

ISO 27001:2022 Transition Guidance For Clients

ISO 27001:2022 "Information security, cybersecurity and privacy protection — Information security management systems — Requirements" was released in October 2022 and is set to replace ISO 27001:2013 via a three year transition period. All organizations that wish to remain certified to ISO 27001 will need to transition to the 2022 revision of the standard within the set transition period which is expected to end in Oct 2025.

NQA’s goal is to maintain a clear transition approach that is easy for our clients to comprehend and apply. Our aim is to provide organizations with the guidance and tools to make the transition from ISO 27001:2013 to ISO 27001:2022 as smooth as possible.

The overall allowable transition period is expected to be three years (i.e. from October 2022 through October 2025).

During that period both versions of the ISO 27001 standard remain valid and audits to either version of the standard may be conducted subject to the rules noted below, but plans should be made for an organization’s transition to fully occur prior to the transition period ending.

Detailed Transition Period

  • 25th October 2022 - ISO/IEC 27001:2022 3rd edition - Release date
  • 31st October 2022 - Transition period begins

  • 1st May 2024 - All initial (new) certifications should be to the 27001:2022 edition after this date and all recertification audits are recommended to utilize the 27001:2022 edition after this date.
    NQA will continue to accept applications for certification and issue new certificates against the 27001:2013 standard until this date.

  • 31st July 2025 - All transition audits should be conducted by this date.

  • 31st October 2025 - Transition period ends
    Certificates for ISO/IEC 27001:2013 will no longer be valid after this date.

ISO 27001:2022 Change Analysis

NQA considers ISO 27001:2022 to be a fairly significant yet necessary change. Changes within the body of the ISO 27001 standard have been made to better align with the harmonized structure for management system standards (i.e. Annex SL).

Of note, changes have been made in the following requirements:

  • 4.2 Understanding the needs and expectations of interested parties
  • 4.4 Information security management system

  • 6.2 Information security objectives and planning to achieve them

  • 6.3 Planning of changes

  • 9.1 Monitoring, measurement, analysis and evaluation

  • 9.3.2 Management review inputs

  • The Annex A controls have been regrouped from 14 control objectives to 4 broad themes that include: Organizational, People, Physical, and Technological Controls

  • The overall number of controls within Annex A stands at 93 controls compared to the 114 controls in the previous edition

  • However, several previous controls have been consolidated into broader new controls; and 11 new controls have been added, including:

    • Threat Intelligence

    • Information Security for use of Cloud Services

    • Physical Security Monitoring

    • Configuration Management

    • Information Deletion

    • Data Masking

    • Data Leakage Prevention

    • Web Filtering

    • Secure Coding

  • Additionally, ISO 27002:2022 identifies 5 control attributes to variously categorize controls; attributes include:

    • Control Type

    • Information Security Properties

    • Cybersecurity Concepts

    • Operational Capabilities

    • Security Domains

  • ISO 27002:2022 also defines a purpose for each individual control to better explain the intent of each control

In order to ensure that clients are successful with their transition NQA advises the following steps:

Preparing for your ISO 27001 Transition

  • Organizations must transition their management system in accordance with the requirements to ISO 27001:2022 before their transition audit is conducted. This should include any documentation changes, along with evidence of any new or changed process requirements.

  • Of note, organizations must conduct an internal audit and management review of the new/changed requirements prior to the NQA transition audit being conducted.

  • Organizations may have a transition gap assessment conducted by NQA prior to their official transition audit. This could be conducted in conjunction with an earlier ISO 27001:2013 surveillance, or at any other stand-alone time prior to their transition audit.

Your ISO 27001 Transition Audit

  • All organizations must have a transition audit to confirm the implementation of the revised standard. The transition audit may be conducted in conjunction with an existing audit, or may be a stand-alone audit.

  • If the transition audit is conducted in conjunction with an existing surveillance (i.e. transition surveillance) or recertification audit (i.e. transition re-assessment), additional time may be added to the audit duration in order to cover the new requirements/concepts introduced by ISO 27001:2022.

  • If a stand-alone audit is carried out for the transition audit, the duration be calculated on an individual organization basis.

Note: Specific audit durations for transition will depend on the actual situation of the organization including the organization’s size and the complexity of the ISMS. Your NQA Client representative will advise you of your specific transition audit duration

Revised ISO 27001:2022 Certificates

  • As with any audit, non-conformances identified during a transition audit will require a corrective action to be submitted and approved. An updated ISO 27001:2022 certification will be issued following corrective action approval.

  • Updated ISO 27001:2022 certificate issuance and validity will be as follows:

    • Transition surveillance – The organization’s existing ‘Valid Until Date’ will be maintained.

    • Transition re-assessment – A new ‘Valid Until Date’ will be issued for the renewed 3 year period.

    • Stand-alone transition – The organization’s existing ‘Valid Until Date’ will be maintained.

NQA ISO 27001:2022 Transition Checklist

NQA is in the process of developing an ISO 27001:2022 Transition Checklist, which provides a simple framework for evaluating your management system against the requirements of ISO 27001:2022. Once published, we encourage organizations to use this checklist as a tool to facilitate and record the changes within their management system and to retain this document for review at their transition audit.

Check back in the coming weeks or sign up to InTouch, our regular newsletter to be notified of its publication.

Additional Support

The NQA team is here to support you throughout the transition process. If you have any questions or need any help we can support you with:

  • Technical Analysis & Guidance. NQA will be providing various additional content over the coming months; please check NQA’s website and sign up for our newsletter to stay informed.

  • Pre-Assessment / Gap Analysis. NQA can provide a Pre-Assessment or Gap Analysis of your revised ISMS to determine the level of compliance of your ISMS to the requirements of ISO 27001:2022.

  • Webinars and Seminars. NQA will be providing general interpretative analysis and transition guidance; please check NQA’s website and sign up for our newsletter to stay informed.

  • Training. NQA offers a number of transition courses to ensure attendees have all the relevant information they need to ensure a smooth transition for their organization.

If you have any questions or just want to speak to someone regarding your transition please contact us.